Ex-convict Kevin Mitnick stated “the human factor is truly security’s weakest link.” The St. Paul Companies, a property-liability insurance company, recently surveyed 500 U.S. IT and risk managers about this supposedly weakest link. The results stated that 37 percent of the IT managers did not interact with their risk managers at all. There is a huge gap in communication among key business units.
This huge gap poses a problem for executives in IT, finance, risk, and other business functions that employ enterprise risk management frameworks to detect, prioritize, measure, and control risks that threaten their strategies, processes, financial positions, people, and assets. Several companies including Microsoft Corporation, General Motors, FirstEnergy say that communications between IT, finance, legal, risk and business functions are essential to a company’s integrated approach to risk management. These companies have created ERM programs that weave together an emphasis on communications, quantification, technology, multiple risk management techniques, and decision-making processes along with data analysis. Microsoft uses technology through a buy-and-build approach to support its ERM program. Specifically, the company uses a combination of bought applications and internally built applications to help identify, measure, and mitigate risks within its treasury department.
William Shenkir, a professor at the University of Virginia’s McIntire School of Commerce, is one of the country’s foremost academic experts on ERM. He has conducted a detail analysis on Microsoft, Canada Post, GM and other organizations’ ERM frameworks. He determined that the hands-on approach of chief audit executives and the internal audit teams are common practice in the companies with the best ERM programs. Shenkir has also concluded that companies today face increased pressure to develop and implement more integrated risk-management capabilities into their companies based on the recent governance and accounting problems. Shenkir stated that the companies with leading ERM strategies tend to have top executives who lead the discipline, approach enterprise risk as constantly changing, emphasize scenario-analysis and mapping risk, and focus on measurement of the risks.
Carman Lapointe Young, the corporate auditor for Canada Post, developed four critical steps to create a successful ERM program. First, one must show the returns. The key is to show how much the company is getting in return for the money invested in the ERM function. Second, one must secure top-level commitment. Having senior management and the board of directors support the audit department’s risk assessments helps to identify the critical risks of the company as a whole and also to establish controls to manage and mitigate those risks. Third, it is important to develop an ERM framework that fits the company. The company should either internally build its ERM framework if possible or buy the software from an outside vendor and customize it to fit the company’s needs. Finally, all of the business units need to be involved in the risk-assessment process. This helps to identify all of the risks throughout the company because each unit knows its risks better than any other unit and they are able to express those risks to the other units.